GraphQL Introspection Scanner

This module queries a GraphQL API Endpoint to retrieve schema data by using introspection, if it is enabled on the server. This module works on all GraphQL versions. Module Options msf use auxiliary/scanner/http/graphqlintrospectionscanner msf auxiliarygraphqlintrospectionscanner show actions...

Samsung MagicINFO 9 Server Remote Code Execution (CVE-2024-7399)

Remote Code Execution in Samsung MagicINFO 9 Server use exploit/windows/http/magicinfotraversal msf exploitmagicinfotraversal show targets ...targets... msf exploitmagicinfotraversal set TARGET msf exploitmagicinfotraversal show options ...show and set options... msf exploitmagicinfotraversal...

TFTP Fetch, Linux Command Shell, Reverse TCP Stager

Fetch and execute an MIPSBE payload from a TFTP server. Spawn a command shell staged. Connect back to the attacker Module Options msf use payload/cmd/linux/tftp/mipsbe/shell/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show...

Asterisk AMI Originate Authenticated RCE

On Asterisk, prior to versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk versions 18.9-cert11 and 20.7-cert2, an AMI user with 'write=originate' may change all configuration files in the '/etc/asterisk/' directory. Writing a new extension can be created which performs a system command to...

VSFTPD 2.3.2 and Earlier STAT Denial of Service

This module triggers a Denial of Service condition in the VSFTPD server in versions before 2.3.3 tested on 2.3.0, 2.3.1, and 2.3.2. Version 2.3.3 and higher should not be vulnerable. Module Options msf use auxiliary/dos/ftp/vsftpd232 msf auxiliaryvsftpd232 show actions ...actions... msf...

Cisco ASA-X with FirePOWER Services Authenticated Command Injection

This module exploits an authenticated command injection vulnerability affecting Cisco ASA-X with FirePOWER Services. This exploit is executed through the ASA's ASDM web server and lands in the FirePower Services SFR module's Linux virtual machine as the root user. Access to the virtual machine...

Oracle Weblogic PreAuth Remote Command Execution via ForeignOpaqueReference IIOP Deserialization

Oracle Weblogic 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0 prior to the Jan 2023 security update are vulnerable to an unauthenticated remote code execution vulnerability due to a post deserialization vulnerability. This occurs when an attacker serializes a "ForeignOpaqueReference" class object,...

Jenkins cli Ampersand Replacement Arbitrary File Read

This module utilizes the Jenkins cli protocol to run the help command. The cli is accessible with read-only permissions by default, which are all thats required. Jenkins cli utilizes args4j's parseArgument, which calls expandAtFiles to replace any @ with the contents of a file. We are then able t...

SuiteCRM authenticated SQL injection in export functionality

This module exploits an authenticated SQL injection in SuiteCRM in versions before 7.12.6. The vulnerability allows an authenticated attacker to send specially crafted requests to the export entry point of the application in order to retrieve all the usernames and their associated password from t...

Docker Image Persistence

This module maintains persistence on a host by creating a docker image which runs our payload, and has access to the host's file system /host in the container. Whenever the container restarts, the payload will run, or when the payload dies the executable will run again after a delay. This will...

TFTP Fetch

Fetch and execute an MIPSBE payload from a TFTP server. Module Options msf use payload/cmd/linux/tftp/mipsbe/meterpreterreversehttp msf payloadmeterpreterreversehttp show actions ...actions... msf payloadmeterpreterreversehttp set ACTION msf payloadmeterpreterreversehttp show options ...show and...

Glibc Tunables Privilege Escalation CVE-2023-4911 (aka Looney Tunables)

A buffer overflow exists in the GNU C Library's dynamic loader ld.so while processing the GLIBCTUNABLES environment variable. This issue allows an local attacker to use maliciously crafted GLIBCTUNABLES when launching binaries with SUID permission to execute code in the context of the root user...

OS Command Exec, Unix Command Shell, Bind UDP (via socat)

Execute an OS command from PHP. Creates an interactive shell via socat Module Options msf use payload/php/unix/cmd/bindsocatudp msf payloadbindsocatudp show actions ...actions... msf payloadbindsocatudp set ACTION msf payloadbindsocatudp show options ...show and set options... msf...

Joomla API Improper Access Checks

Joomla versions between 4.0.0 and 4.2.7, inclusive, contain an improper API access vulnerability. This vulnerability allows unauthenticated users access to webservice endpoints which contain sensitive information. Specifically for this module we exploit the users and config/application endpoints...

Init OpenRC Persistence

This module will create a service on the box via OpenRC, and mark it for auto-restart. We need enough access to write service files and potentially restart services. Verified against alpine 3.21.2 Module Options msf use exploit/linux/persistence/initopenrc msf exploitinitopenrc show targets...

TFTP Fetch

Fetch and execute an ARMBE payload from a TFTP server. Module Options msf use payload/cmd/linux/tftp/armbe/meterpreterreversehttp msf payloadmeterpreterreversehttp show actions ...actions... msf payloadmeterpreterreversehttp set ACTION msf payloadmeterpreterreversehttp show options ...show and se...

Webmin File Manager RCE

In Webmin version 1.984, any authenticated low privilege user without access rights to the File Manager module could interact with file manager functionalities such as downloading files from remote URLs and changing file permissions. It is possible to achieve Remote Code Execution via a crafted...

OS Command Exec, Unix Command Shell, Double Reverse TCP SSL (telnet)

Execute an OS command from PHP. Creates an interactive shell through two inbound connections, encrypts using SSL via "-z" option Module Options msf use payload/php/unix/cmd/reversessldoubletelnet msf payloadreversessldoubletelnet show actions ...actions... msf payloadreversessldoubletelnet set...

OS Command Exec, Unix Command Shell, Reverse TCP (via socat)

Execute an OS command from PHP. Creates an interactive shell via socat Module Options msf use payload/php/unix/cmd/reversesocattcp msf payloadreversesocattcp show actions ...actions... msf payloadreversesocattcp set ACTION msf payloadreversesocattcp show options ...show and set options... msf...

HTTP Fetch

Fetch and execute an x64 payload from an HTTP server. Module Options msf use payload/cmd/linux/http/x64/sethostname msf payloadsethostname show actions ...actions... msf payloadsethostname set ACTION msf payloadsethostname show options ...show and set options... msf payloadsethostname run This...

Netis Router Exploit Chain Reactor (CVE-2024-48455, CVE-2024-48456 and CVE-2024-48457).

Several Netis Routers including rebranded routers from GLCtec and Stonet suffer from a command injection vulnerability at the change admin password page of the router web interface see CVE-2024-48456 for more details. The vulnerability stems from improper handling of the 'password' and 'new...

vCenter Sudo Privilege Escalation

VMware vCenter Server use exploit/linux/local/vcentersudolpe msf exploitvcentersudolpe show targets ...targets... msf exploitvcentersudolpe set TARGET msf exploitvcentersudolpe show options ...show and set options... msf exploitvcentersudolpe exploit This module requires Metasploit:...

Geoserver unauthenticated Remote Code Execution

GeoServer is an open-source software server written in Java that provides the ability to view, edit, and share geospatial data. It is designed to be a flexible, efficient solution for distributing geospatial data from a variety of sources such as Geographic Information System GIS databases,...

pgAdmin Session Deserialization RCE

pgAdmin versions use exploit/multi/http/pgadminsessiondeserialization msf exploit...

GL.iNet Unauthenticated Remote Command Execution via the logread module.

A command injection vulnerability exists in multiple GL.iNet network products, allowing an attacker to inject and execute arbitrary shell commands via JSON parameters at the glsystemlog and glcrashlog interface in the logread module. This exploit requires post-authentication using the Admin-Token...

TFTP Fetch

Fetch and execute an ARMLE payload from a TFTP server. Module Options msf use payload/cmd/linux/tftp/armle/meterpreterreversetcp msf payloadmeterpreterreversetcp show actions ...actions... msf payloadmeterpreterreversetcp set ACTION msf payloadmeterpreterreversetcp show options ...show and set...

TFTP Fetch

Fetch and execute an MIPSLE payload from a TFTP server. Module Options msf use payload/cmd/linux/tftp/mipsle/meterpreterreversehttps msf payloadmeterpreterreversehttps show actions ...actions... msf payloadmeterpreterreversehttps set ACTION msf payloadmeterpreterreversehttps show options ...show...

OS Command Exec, Unix Command Shell, Bind TCP (inetd)

Execute an OS command from PHP. Listen for a connection and spawn a command shell persistent Module Options msf use payload/php/unix/cmd/bindinetd msf payloadbindinetd show actions ...actions... msf payloadbindinetd set ACTION msf payloadbindinetd show options ...show and set options... msf...

Apache NiFi H2 Connection String Remote Code Execution

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. This exploit will result in several shells 5-7. Successfully test...

CVE-2022-21999 SpoolFool Privesc

The Windows Print Spooler has a privilege escalation vulnerability that can be leveraged to achieve code execution as SYSTEM. The SpoolDirectory, a configuration setting that holds the path that a printer's spooled jobs are sent to, is writable for all users, and it can be configured via...

MOVEit SQL Injection vulnerability

This module exploits an SQL injection vulnerability in the MOVEit Transfer web application that allows an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used MySQL, Microsoft SQL Server, or Azure SQL, an attacker can leverage an...

WhatsUp Gold Credentials Dump

This module exports and decrypts credentials from WhatsUp Gold to a CSV file; it is intended as a post-exploitation module for Windows hosts with WhatsUp Gold installed. The module has been tested on and can successfully decrypt credentials from WhatsUp versions 11.0 to the latest 22.x. Extracted...

Microsoft Exchange ProxyLogon Scanner

This module scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin CVE-2021-26855. By chaining this bug with another post-auth arbitrary-file-write vulnerability to get code execution CVE-2021-27065. As a result, a...

Powershell Exec

Execute an x64 payload from a command via PowerShell Module Options msf use payload/cmd/windows/powershell/x64/downloadexec msf payloaddownloadexec show actions ...actions... msf payloaddownloadexec set ACTION msf payloaddownloadexec show options ...show and set options... msf payloaddownloadexec...

GitLab Unauthenticated Remote ExifTool Command Injection

This module exploits an unauthenticated file upload and command injection vulnerability in GitLab Community Edition CE and Enterprise Edition EE. The patched versions are 13.10.3, 13.9.6, and 13.8.8. Exploitation will result in command execution as the git user. Module Options msf use...

HTTP Fetch, Reverse TCP Stager

Fetch and execute an AARCH64 payload from an HTTP server. Connect back to the attacker Module Options msf use payload/cmd/linux/http/aarch64/meterpreter/reversetcp msf payloadreversetcp show actions ...actions... msf payloadreversetcp set ACTION msf payloadreversetcp show options ...show and set...

update-motd.d Persistence

This module will add a script in /etc/update-motd.d/ in order to persist a payload. The payload will be executed with root privileges everytime a user logs in. Root privileges are likely required to write to /etc/update-motd.d/. Verified on Ubuntu 22.04 Module Options msf use...

MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell)

MobileIron Core is affected by the Log4Shell vulnerability whereby a JNDI string sent to the server will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS command execution in the context of the tomcat user. This module will start an LDAP server that...

Service Upstart Persistence

This module will create a service on the box, and mark it for auto-restart. We need enough access to write service files and potentially restart services Targets: CentOS 6 Fedora = 9, = 9.10, use exploit/linux/persistence/initupstart msf exploitinitupstart show targets ...targets... msf...

TFTP Fetch

Fetch and execute an x64 payload from a TFTP server. Module Options msf use payload/cmd/windows/tftp/x64/downloadexec msf payloaddownloadexec show actions ...actions... msf payloaddownloadexec set ACTION msf payloaddownloadexec show options ...show and set options... msf payloaddownloadexec run...

TFTP Fetch, Linux Command Shell, Find Port Inline

Fetch and execute an PPC64 payload from a TFTP server. Spawn a shell on an established connection Module Options msf use payload/cmd/linux/tftp/ppc64/shellfindport msf payloadshellfindport show actions ...actions... msf payloadshellfindport set ACTION msf payloadshellfindport show options ...show...

WordPress King Addons for Elementor Unauthenticated Privilege Escalation to RCE

This module exploits an unauthenticated privilege escalation vulnerability in the WordPress King Addons for Elementor plugin versions 24.12.92 to 51.1.14. The vulnerability exists in the handleregisterajax function which allows unauthenticated attackers to specify the userrole parameter during...

Windows Download Execute

Downloads and executes the file from the specified url. Module Options msf use payload/windows/x64/downloadexec msf payloaddownloadexec show actions ...actions... msf payloaddownloadexec set ACTION msf payloaddownloadexec show options ...show and set options... msf payloaddownloadexec run...

Python Flask Cookie Signer

This is a generic module which can manipulate Python Flask-based application cookies. The Retrieve action will connect to a web server, grab the cookie, and decode it. The Resign action will do the same as above, but after decoding it, it will replace the contents with that in NEWCOOKIECONTENT,...

Apache "mod_userdir" User Enumeration

Apache with the UserDir directive enabled generates different error codes when a username exists and there is no publichtml directory and when the username does not exist, which could allow remote attackers to determine valid usernames on the server. This module requires Metasploit:...

Splunk __raw Server Info Disclosure

Splunk 6.2.3 through 7.0.1 allows information disclosure by appending /raw/services/server/info/server-info?outputmode=json to a query. Versisons 6.6.0 through 7.0.1 require authentication. Module Options msf use auxiliary/gather/splunkrawserverinfo msf auxiliarysplunkrawserverinfo show actions...

PHP Exec, PHP Meterpreter, PHP Reverse TCP Stager

Execute a PHP payload as an OS command from a Posix-compatible shell. Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions Module Options msf use payload/cmd/unix/php/meterpreter/reversetcp msf payloadreversetcp show actions ...actions... msf...

mySCADA myPRO Manager Credential Harvester (CVE-2025-24865 and CVE-2025-22896)

Credential Harvester in MyPRO Manager use auxiliary/admin/scada/mypromgrcreds msf auxiliarymypromgrcreds show actions ...actions... msf auxiliarymypromgrcreds set ACTION msf auxiliarymypromgrcreds show options ...show and set options... msf auxiliarymypromgrcreds run class MetasploitModule 'mySCA...

Fortra GoAnywhere MFT Unsafe Deserialization RCE

This module exploits CVE-2023-0669, which is an object deserialization vulnerability in Fortra GoAnywhere MFT. Module Options msf use exploit/multi/http/fortragoanywherercecve20230669 msf exploitfortragoanywherercecve20230669 show targets ...targets... msf exploitfortragoanywherercecve20230669 se...

pfSense Restore RRD Data Command Injection

This module exploits an authenticated command injection vulnerabilty in the "restorerrddata" function of pfSense prior to version 2.7.0 which allows an authenticated attacker with the "WebCfg - Diagnostics: Backup & Restore" privilege to execute arbitrary operating system commands as the "root"...